I like to start them with "How much you going to pay me to fix this shit?"

But then again I consult and they asked me to look in the first place ;)

Seriously though I have only sent a couple bugs to websites because mostly I don't care, but a credit card hole, etc I will. The most important thing IMO is sending it to the right person in the first place, check their site for a security contact and direct it to them or if one is not listed just address it to security@company.com asking for the correct person to ask about security issues. Once you get that then just be polite and explain the hole and it's implications just as you would to another professional.

You may consider doing it anonymously if you don't want credit, small sites, etc have in the past blamed the person that found the problem and caused that person trouble.

I pretty much follow a variety of formats depending on my mood but if they don't reply, I become resentful (usually). I post them here, on milw0rm and a couple of other places. If someone gets creative and fucks with them, they'll fix it. It's pretty unorthodox but it's also not _my_ problem, it's theirs.

From another point of view, if they have your e-mail claiming the discovery and then they get fucked up they might decide to blame you for the job. I mean if you were working as Sysadm and had to cover your ass in such situation, wouldn't you blame that "evil nerd hacker kid"?

I've found that mostly companies don't want to respond because that's like admitting guilt and they aren't prepared for what will happen if you should take that email response and publish it - especially if it will take them a while.

Right now I think there are about 20 companies who are having meetings about the "So it begins" thread that go something like this, "What is this ex ess ess thingy and why haven't you fixed it yet?"